Hi, recently I keep receiving URL-Mal block notice from the avast blocker everyonce in awhile when I am using internet browser or idling. The sites that got blocked are “68.169.92.53” , “178.162.172.37”, and “66.230.138.103”. Everytime this happens, they come together to up to 8-10 times. The process these url mal involved is svchost.exe according to the avast blocker.

The pc I use is window xp 2002, sp3. I had used malwarebyte, superantispyware, and removed all java apps since i heard malware may disguise in there. Before I had trouble restarting the pc too, but I can at least restart now without shutting it manually; however, the pop up notices persist. Thanks.

i made a little mistake, instead of “66.230.138.103”. It is 66.230.138.163. thanks.

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here and not in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTL log ) save OTL log as ANSI

Essexboy will look at the logs when he arrive here later today…

I have attached the logs that were required in ANSI format, thanks.

On completion of this run let me know if the alerts cease

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = D9 2D C8 03 9C 54 BC 44 85 2B 53 CD FD 1B 3E 24 [binary data] IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = D9 2D C8 03 9C 54 BC 44 85 2B 53 CD FD 1B 3E 24 [binary data] IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = D9 2D C8 03 9C 54 BC 44 85 2B 53 CD FD 1B 3E 24 [binary data] IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = D9 2D C8 03 9C 54 BC 44 85 2B 53 CD FD 1B 3E 24 [binary data] IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = D9 2D C8 03 9C 54 BC 44 85 2B 53 CD FD 1B 3E 24 [binary data] IE - HKU\S-1-5-21-73586283-1085031214-1417001333-500\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = D9 2D C8 03 9C 54 BC 44 85 2B 53 CD FD 1B 3E 24 [binary data] FF - prefs.js..network.proxy.http: "127.0.0.1" FF - prefs.js..network.proxy.http_port: 50370 FF - prefs.js..network.proxy.type: 4 O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O3 - HKU\S-1-5-21-73586283-1085031214-1417001333-500\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O33 - MountPoints2\{ef1e2028-3311-11df-b3bd-0018de2550ea}\Shell\Autoplay\Command - "" = E:\xmss.exe O33 - MountPoints2\{ef1e2028-3311-11df-b3bd-0018de2550ea}\Shell\AutoRun\command - "" = E:\xmss.exe O33 - MountPoints2\{ef1e2028-3311-11df-b3bd-0018de2550ea}\Shell\Explore\Command - "" = E:\xmss.exe O33 - MountPoints2\{ef1e2028-3311-11df-b3bd-0018de2550ea}\Shell\Open\Command - "" = E:\xmss.exe [2011/07/25 11:26:26 | 000,000,124 | ---- | M] () -- C:\WINNT\System32\370613186 [2011/06/14 00:10:14 | 000,001,630 | -HS- | C] () -- C:\Documents and Settings\All Users.WINNT\Application Data\deow1vg58852bdtc3g62w37712kpxb620d03722ipd [2011/06/14 00:10:14 | 000,001,630 | -HS- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\deow1vg58852bdtc3g62w37712kpxb620d03722ipd [2011/05/29 14:14:48 | 000,001,618 | -HS- | C] () -- C:\Documents and Settings\All Users.WINNT\Application Data\ekm2k560x0nt4y6377xsjc7031o2b4 [2011/05/29 14:14:48 | 000,001,618 | -HS- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\ekm2k560x0nt4y6377xsjc7031o2b4 [2011/05/13 13:17:38 | 000,008,138 | -HS- | C] () -- C:\Documents and Settings\All Users.WINNT\Application Data\13nnf18pd0364y8w46p0i346m583t86kk1odd1c8w0 [2011/05/13 13:17:38 | 000,008,138 | -HS- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\13nnf18pd0364y8w46p0i346m583t86kk1odd1c8w0 [2011/05/11 16:59:55 | 000,006,980 | -HS- | C] () -- C:\Documents and Settings\All Users.WINNT\Application Data\t5h3710btkyvc7ysrur63f5pk32e0x8r082s66 [2011/05/11 16:59:55 | 000,006,980 | -HS- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\t5h3710btkyvc7ysrur63f5pk32e0x8r082s66 [2011/05/06 01:16:27 | 000,008,340 | -HS- | C] () -- C:\Documents and Settings\All Users.WINNT\Application Data\efw7mk2wi2bny11j802y46e84pgr574ub [2011/05/06 01:16:27 | 000,008,340 | -HS- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\efw7mk2wi2bny11j802y46e84pgr574ub [2011/04/16 01:15:30 | 000,007,756 | -HS- | C] () -- C:\Documents and Settings\All Users.WINNT\Application Data\b513h2vulke4 [2011/04/16 01:15:30 | 000,007,756 | -HS- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\b513h2vulke4

:Reg
[HKU.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = D9 2D C8 03 9C 54 BC 44 85 2B 53 CD FD 1B 3E 24 [binary data]
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = D9 2D C8 03 9C 54 BC 44 85 2B 53 CD FD 1B 3E 24 [binary data]
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-21-73586283-1085031214-1417001333-500\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

how long does it take for the run/scan? Because I am not sure if the OTL is freezed or not after an hour. Thanks a lot.

It may take a while if you have a lot of temporary files but not for an hour, close it please and then re-run a fresh OTL scan

Once again, it freezes at “Processing Registry data IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]”. I had to restart the pc manually, but I notice there are some transparant temp files on the desktop afterward.

Could you run a fresh OTL scan please and I will see if I can locate the blockage

Also the transparent files are system ones and I will hide them again at the end

Here is another scan. I have to run exe file in c drive, because i get error sometimes in opening from desktop.

What error do you get on the desktop ?

All that remains are the two orphan registry entries

HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main
XMLHTTP_UUID_Default =
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main
XMLHTTP_UUID_Default =

It just said you are unable to install or open, but it works sometimes. So do I try to custom scan with that 2 lines again (tried, and it got freezed again on the registry data; explorer.exe also got shut off when it freezes) or should I try the software you suggested to donjuangirl
since we have very similar problems I beleive.

Lets try a slightly stronger programme

Download and Install CombofixDownload ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Can i install it in my cdrive, since i get nsis error “error launching installer” in the desktop. Its probably because my window is in chinese instead of english.

Yep no problem

combo fix’s auto scan is at completed stage 49, but it hasnt moved a bit for awhile. It did not freeze though.

OK if it has not finished now then close the programme out and run this … Although I feel you may have some system problems as well

Please read carefully and follow these steps.

[*]DownloadTDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKiller%20shots/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKiller%20shots/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKiller%20shots/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKiller%20shots/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

finally, the program runs smoothly. here is the log.

Could I have one more OTL to check it out, how is the system behaving now

ok here is the quick scan log.